Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

GKE Secrets OR Google Secret manager

Tags:

google-cloud-platform

google-kubernetes-engine

kubernetes-secrets

google-secret-manager

Does anyone know in which case choose Kubernetes secrets instead of google secret manager and the reverse ? Differences between the two ?

like image 388
DE_WMA Avatar asked Nov 22 '20 18:11

DE_WMA

People also ask

How do you access secrets in secret Manager GCP?

To use Secret Manager on the command line, first Install or upgrade to version 378.0. 0 or higher of the Google Cloud CLI. On Compute Engine or GKE, you must authenticate with the cloud-platform scope. To run this code, first set up a C# development environment and install the Secret Manager C# SDK.

What is Google secrets manager?

Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.

How do you read secret Manager secrets?

You can retrieve your secrets by using the console (https://console.aws.amazon.com/secretsmanager/ ) or the AWS CLI ( get-secret-value ). In applications, you can retrieve your secrets by calling GetSecretValue in any of the AWS SDKs. However, we recommend that you cache your secret values by using client-side caching.

1 Answers

With Kubernetes secret (K8S Secret), you use a built in feature of K8S. You load your secrets in config maps, and you mount them on the pods that require them.

PRO

If a day you want to deploy on AWS, Azure or on prem, still on K8S, the behavior will be the same, no update to perform in your code.

CONS

The secrets are only accessible by K8S cluster, impossible to reuse them with another GCP services

Note: With GKE, no problem the ETCD component is automatically encrypted with a key form KMS service to keep the secret encrypted at rest. But, it's not always the same for every K8S installation, especially on premise, where the secrets are kept in plain text. Be aware about this part of the security.

Secret Manager is a vault managed by Google. You have API to read and write them and the IAM service checks the authorization.

PRO

It's a Google Cloud service and you can access it from any GCP services (Compute Engine, Cloud Run, App Engine, Cloud Functions, GKE,....) as long as you are authorized for

CONS

It's Google Cloud specific product, you are locked in.

like image 129
guillaume blaquiere Avatar answered Oct 27 '22 21:10

guillaume blaquiere
Sign in to Comment

Related questions

Getting error while running docker run :Error response from daemon
Google Cloud Function / Python 3.7 / requirements.txt makes deploy fail
Enable APIs using serviceusage API with a service account
Google Cloud Composer taking too long to install dependencies
Test Google SSO SAML on Localhost
how to keep GKE cluster nodes in different regions?
NEG says Pods are 'unhealthy', but actually the Pods are healthy
Bucket query permission denied in GCP despite service-account having the Owner role
Create random variable in Terraform and pass it to GCE startup script
Handling a Cloud Run container shutdown
GCP internal load balancer Global access (Beta) annotation does not work?
Accessing Google cloud API from local Project not Hosted on Google cloud platform
Do Firebase Cloud Functions require Billing to be enabled by April 20, 2020 because of the Cloud Build API?
Error 525 with Cloudflare and Google Cloud Run
Google cloud function not handling sigint
How to download a file from Google Cloud Platform storage
What is "Networking Traffic Egress GAE/Firebase Storage" means [closed]
Puppeteer error: Navigation failed because browser has disconnected
How to use Terraform `google_app_engine_domain_mapping` with service account?
DDOS in Cloud Run

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!